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Fix it Once 


How Ancestry Successfully Manages 
Vulnerabilities in the Cloud through 
Amazon Machine Images 
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K DNA Story for Grant Johnson 8 0 
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Additional Communities 
Clare Lester Arden 
Johnson Johnson 
Mountain West Mormon Pioneers > fedoras ae 


New York Settlers 


Northeastern States Settlers 


Rhode Island & Southeastern Massachusetts Settlers 


Tennessee & Southern States Settlers 
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Living 


About us 


e World’s largest online collection of family history ancestry 


records - billions & billions i 
ancestry 
e 3+ million wonderful subscribers 


e 100 million family trees — ancestry fold3 
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e 10 web properties 


e 3 petabvtes of data under management ancestry 
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About us 


e DNA kits available in 30+ countries 
e 700K genomic markers 

e 350 global regions 

e Largest DNA repository in the world 


Ancestry is founded 


Internet site launched 


Begin Mitochondrial 
DNA Testing 


1 million people tested 


16 million people tested 


ES 
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Challenges 
Background: Why the Cloud? Transactions per second 
250 


e Growth 
e Rapid cycle expansion 

e Fast moving, traffic & business cycles 
e Resiliency & uptime 

e Multiple global regions 

e Multiple Availability Zones 


Jan - Oct November/December Jan 
(e.g. Black Friday / Cyber Monday) 
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Tactical Approach to the Cloud 


Each stack had to be imaged & rapidly deployable 
e Needed to realized resiliency goals— Con t usi ii ond-siiiii 
e Make use of cloud elasticity and containerization 
e More Standardized toolset.... 
We use and mandate AWS Tags 
e Every system needed a NAMED owner or was shutdown 


Removed Access 
e Separate AWS accounts for Development, Smoke, Production, SOX, and PCI 
e Absolutely NO Dev Production Access Results: Huge P1 Incidents! 
e IF it is awake, it is subject to scanning l 
e Approved Images (AMI) with Authentication Keys 
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Challenges 


Each stack had to be imaged & rapidly 
deplovable 


e Needed to realize resiliency goals — 
Can’t just lift-and-shift 


e Make use of cloud elasticity and 
containerization 


e More standardized toolset 


Here is what we did... 


Separate AWS accounts for Development, 
Smoke, Production, SOX, and PCI 


Absolutely NO Stage or Production access 


Spoiler alert: Huge P1 incidents! 
IF it is awake, it is subject to scanning 


Approved Images (AMI) with Authentication 
Keys 


Every system needed a NAMED owner or 
was shutdown (Qualys to find unnamed 
servers) 
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Solution 
Approved Images — AMI’s 


Ancestry required a new way of thinking about servers 


Servers are cattle Not pets 
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Solution 


Don't push patches...patch the AMI 


Shut down the old one Spin up the new one with the new AMI 


NO cows were harmed in our AWS migration! 
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Why Ancestry chooses AWS and Qualys 


Whv AWS2 
e System resiliency 
e Rapid elastic expansion 


e Supported our rapid growth 


Why Qualys? 


e Proven ability to work well with AWS — expanded 
with our needs 


e Virtually maintenance free, once we set up 


e The data was accurate — no false positives 
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Challenges 


Lessons learned 


e Don't get fixated on the count of vulnerabilities 
e Buy-in at executive level 
e Think operationally — not exceptionally 


e KEEP CALM and STICK to the process ... it takes 
time to work 


e Communication and visibility 


And then this... 


A 


Confirmed 


Sev4 EHEHEH 


Sev5 HREEE And finally this 


2 


Vulnerability 
Count 


This happened 


>80% dropin 
vulnerabilities 


Don’t shoot for ZERO 
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Benefits are awesome 


e My ask of Development: 


Do one thing. Update the image. AUGUST IMAGE 


e Forced us to have a more homogeneous 1 O6K 
platform and process 
Y -10.0% 
e Synced security with business goals Showing last 33 days 


e Process seems to be sustainable! 


e 76%+ NIX scan are fully authenticated — 99% 
Windows 


e Works for some applications as well 
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Benefits are awesome 


e Works at the application 


layer as well 


Java Vulns 7 


Actions v Add Widget 


L1 MISSING OCTOBER2018 JAVA PA... 


L1 JAVA JANUARY 2018 MISSING 


9 


A 0.0% 


Showing last 81 days 


CORRETTO 


L1 JAVA PATCH MISSING JULY 2018 


34 


A 0.0% 


Showing last 81 days 


L1 MISSING JAVA APRIL 2018 


9 


A 0.0% 


Showing last 81 days 


L1 MISSING JAVA APRIL 2017 


Filter by Asset Tags 


L1 JAVA UPDATE JAN 2019 


48 


A 0.0% 


Showing last 81 days 


L1 MISSING JAVA OCTOBER 2017 


9 


A 0.0% 


Showing last 81 days 


L1 MISSING JAVA OCTOBER 2016 
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Dashboards 


Key Metrics 
e Use of approved image 


e Confirmed 4s & 5s Ageing* 


faja 
ae 
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e Number of Vulns Fixed 
e Scan coverage - Target 95% 
e Authentication Percentage — Target 95% 


e Vulnerabilities not fixed by Image 


* Aged based on vulnerability release date — pending... 
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Vulnerabilities 
NOT FIXED 
By Image 


01 dnorth@ancest. 
01 DSands@ 


Vulnerabilities 


By Image 


Vulnerabilities 


By Image 
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01 mlowe@ 
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Count: 53 Average Age: 102.92 


Vulnerability Detection Source Solution 


Amazon Linux Security A.. 


Host Name Age Sev 
Amazon Linux Security A. 

Amazon Linux Security A. 

Amazon Linux Security A. 49 f 6 4 alled Ve u V se refer to S 2019 
Amazon Linux Security A.. 

Amazon Linux Security A. 

Amazon Linux Security A. 

Amazon Linux Security A.. 

Amazon Linux Security A. 


Microsoft ASP.NET MVC 
Security Feature Bypass 


Vulnerabilities Fixed by Image Count: 4 Average Age: 103.00 


Vulnerability 
Null 
Microsoft .NET Framew. 


Host Name A..F Sev Detection Source Solution 


Microsoft .NET Framew. 
Microsoft Windows Sec. 
Microsoft Windows Sec.. 


Count: 4 


Vulnerability Solution 
Null 
Microsoft Windows a339 


Security Update for Aug. 


Host Name A. F Sev Detection Source 


Microsoft Windows 
Security Update for Re. 
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Q&A 


(eJINFOSEQ Thank voul 
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